siliconANGLE » Comodo Compromise Demonstrates Need for DNSSec Migration

Comodo Compromise Demonstrates Need for DNSSec Migration

George Ou | March 24th
READ MORE

Comodo, a company you probably never heard of which holds one of the many master keys to the Internet’s SSL X.509 Public Key Infrastructure (PKI) system, admitted that their root certificate authorities have been compromised by attackers.  Those attackers issued themselves SSL certificates for seven companies including Google, Skype, and Yahoo so they can fully masquerade as one of the seven companies with legitimate looking SSL certificates.  Comodo responded by revoking those certificates, but that won’t offer full protection until every device on the planet replicates the revocations and we have only Comodo’s word that more certificates haven’t been compromised.

This attack highlights a much more fundamental problem with X.509.  A lot of large companies will say “oh but we use more reputable certificate authorities for SSL”, but it doesn’t matter because the fundamental weakness of X.509 allows any one of the many certificate authorities to compromise the entire SSL PKI system.  Any nation (including rogue states) have access to the master keys.  Anyone willing to spend around $40,000 can simply buy themselves access to a root certificate (essentially a “master key”) that would allow them to create any SSL certificate they desire.  Although the terms of the root certification signing authority contractually forbid buyers from abusing their root certificate, it’s a useless trust based on the honor system.

DNSSEC is a new secure Domain Name System (DNS) that also has the ability to replace the fundamentally weak X.509 PKI system.  DNSSEC security is vastly more secure because of the following design features.

  • Only the DNSSEC roots have master keys.  By comparison, there are dozens of root authorities for X.509 and anyone with $40K or anyone who compromises one of the many root authorities have access to the master key.
  • Each DNSSEC root doesn’t have a full master key.  The .com root can’t sign for the .ca or .cn root.
  • DNSSEC delegates limited signing authority to each domain owner.  Each domain owner can sign their own certificates for their own servers and users, but they can only sign it for their own domain which eliminates the threat of signing abuse present with X.509.
  • Domain owners don’t need to pay hundreds of dollars for each server or user certificate like the current X.509 racket.  Not only does this save money, it removes barriers for the adoption of secure communications.

[Cross-posted at Digital Society]

In the same vein:

About George Ou

George Ou was a network engineer who built and designed wired network, wireless network, Internet, storage, security, and server infrastructure for various fortune 100 companies. He is also a Certified Information Systems Security Professional (CISSP #109250). He was Technical Director and Editor at Large at ZDNet.com and wrote one of their most popular blogs “Real World IT.” In 2008, he became a Senior Analyst at ITIF.org, and he currently writes for High Tech Forum
Post comment as
twitter logo facebook logo
Sort: Newest | Oldest